ID. Date of interview 
date 42/92/20 


ID. — Time interview started 
start 42:44:16 


ID.end Completion date of interview 
Date 42/02/20 


ID.end Time interview ended 
13:28:40 


ID. Duration of interview 
time 44.40 


new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Q3 


Does the draft guidance contain enough examples? 
O Yes 
© No 


C) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Page 15 - examples of when it is appropriate to deal with a SAR in the normal course of business. Page 
18 - examples of complex requests and definition of "specialist work" Page 23 - examples of clarifying 
the request and when the clock would and wouldn't stop on the deadline for responding Page 24 - 
example of employee request to be expanded - what should the supermarket have done if the employee 
hadn't responded? Page 25 - examples of the effort required to find information in back-up and archives. 
These would normally only be accessed if data had been accidentally deleted or lost from live systems, 
so what level of effort is required? Page 25 - examples of "extreme measures" and what the ICO does 
expect of organisations Page 27 - examples of observed or inferred data and what difficulties these 
could pose and how to address these. Also examples of big datasets Page 28 - examples of adequate 
metadata Page 31 - examples of "proprietary format" Page 33 - examples of information that is 
irrelevant or unnecessary Page 35 & 36 - specific examples of manifestly unfounded requests - 
particularly "unsubstantiated accusations" and targeting particular employees Page 40 - examples of 
when it is and isn't appropriate to ask 3rd parties for consent to include their information ina SAR 
response. It's difficult to see how you could ever ask for a valid consent without disclosing the fact that a 
specific individual has made a SAR. Page 41 - examples of when disclosing 3rd party information in a 
SAR (without that 3rd party's consent) would and wouldn't be a personal data breach Page 44 - 
examples of when information is generally known to individual making request and examples of 
importance of information to requestor Page 47 to 49 - examples of response to requestor explaining 
that exemptions applied Page 49 to 50 - examples of the 4th and 5th functions described Page 55 - 
more examples of "management information" - could it apply to confidential business and asset sales? 
Page 56 - examples of when negotiations exemption ceases to apply to information relating to 
closed/settled negotiations Page 57 - example of when reference is confidential Page 58 - examples of 


whan enarnnrata financa avamntinn waild anniy Pana 77 - avamnlae af arnanicatinne caakina ta eanraal 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 

range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


3- 
1-Notatall 2-Slightly Moderately 4 — Very 


5 — Extremely 
useful useful useful 


useful useful 


( ) ( ) ( ) ©) ( ) 


Q6 Why have you given this score? 


It is very well written - clear and easy to read. However, more examples are needed 
and there are a number of terms which need further 


explanation/clarification/defining 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 
Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


O © o) 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


Page 12 - define (and give example of) a 3rd party portal Page 18 - define specialist 
work Page 19 - explain what happens if individual refuses to pay a reasonable fee. 
Examples of the level of charges ICO would regard as reasonable would be useful 
Page 23 - Recital 63 indicates that the clock stops if the organisation requests 
additional information. The draft guidance e does not appear to be consistent with 
this Page 26 - explain what "other ways" consolidated data stores could assist 
organisations Page 27 - define big datasets and explain why data analytics makes it 
more difficult to respond to a SAR. Explain why observed or inferred data makes it 
more difficult. Page 29 - if individual does not ask for the supplementary 
information, should the response include this anyway? Is it sufficient to point to the 
privacy notice? Page 30 - what if there are security concerns around providing 
response in same format as individual has made a request? Eg if made request 
electronically by social media or by unsecured email? Is it acceptable to provide data 
in an alternative format if it is more secure? Page 30 - is it acceptable to provide 
transcripts / summaries of other types of information such as audio recordings / call 
recordings / videos/ CCTV images etc? Page 30 "commonly used electronic format" 
does not mean the format in which we supply the information. That is simply one 
format in which the information could be provided. Page 38 - not a requirement of 
GDPR to inform individual that they can seek to enforce through judicial remedy - 
this should not be a mandatory requirement under the guidance Page 40 - when 
asking a 3rd party for consent to include their information in a SAR response, what 
do you need to ask them for the consent to be valid? Can a valid consent be 


nhtainad wiithaiit dicclacina tha idantitu af tha raniiactar? TF it ic daamad tana ha 


Are you answering as: 

O An individual acting in a private capacity (eg someone providing their views as a member of the public) 
(`) An individual acting in a professional capacity 

© On behalf of an organisation 

€ ) Other 

Please specify the name of your organisation: 


What sector are you from: 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


